Necurs Botnet Distributing Locky Ransomware via Fake Invoices

The Necurs spam botnet has switched back to distributing the Locky ransomware in a campaign featuring messages disguised as fake invoices, Cisco Talos security researchers reveal.

Last year, Necurs was the main driver behind Locky’s ascension to the top of the ransomware charts, and their activity was tightly connected. Following several months of vacation in early 2017, Necurs resumed activity in April, but distributed Locky only for a few weeks.

Starting around May 12, the same day WannaCy made its first appearance, Necurs switched to distributing a new ransomware family called Jaff. The malware was found to be tightly connected to Locky, as the same actor operated both ransomware families.

Earlier this month, however, Kaspersky Lab security researchers discovered vulnerabilities in Jaff and managed to create a decryptor for it, allowing victims to recover their data for free. Although three Jaff variants were observed to date, the decryption tool would work for all three of them.

The decryptor’s release apparently took Jaff out of the race, and Necurs returned to pushing Locky once again. The spam emails pushing the ransomware feature a double-zipped archive with an .exe file inside. Unlike previous Necurs-driven campaigns, which used themes such as order confirmations, payment receipts, and business documents, the new messages are fake invoices.

The newly observed campaign, Talos reports, features a notable volume of spam: during the first hour, it accounted for around 7% of the email volume registered by one of the company’s systems. The volume has decreased, but the campaign continues to be active, the security researchers say.

The campaign uses the same affiliate ID as before, but the ransomware itself appears to have suffered a series of changes, one of which prevents it from encrypting data on systems running under operating systems more recent than Windows XP.

The command and control (C&C) URL structure is another notable aspect of this campaign, the security researchers say: “Adversaries behind this latest Locky campaign have reused the /checkupdate path as part of the URL structure -- the same URL structure found in previous Locky campaigns. This is perhaps another indication that adversaries were hasty in their developing and distributing this campaign.”

Talos suggests that Locky’s operators are likely aware of the existing issues with the ransomware, and that an updated variant of the malware is likely to emerge soon, addressing the bug. At the moment, however, the Locky sample distributed via Necurs can encrypt only Windows XP systems.

“It's always risky clicking on links or opening attachments in strange email messages. Users that fail to heed this advice can easily become ransomware victims, and if the subsequent ransom is paid, the monies will no doubt fund another round of attacks. As always, organizations are encouraged to make regular backups of their data, practice restoring said data, and store backups offline far out of the reach of potential criminals,” Talos said.